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(54) Multilevel security port methods, apparatuses, and computer program products 



(57) A multilevel port system on a computer operat- 
ing under a multilevel operating system to permit con- 
temporaneously opening a pluranty of sockets having 
the same port number whQe meeting the requirements 
of an appropriate security policy, thus allowing third 
party applications to run as if they were unimpeded by 
the security policy, and methods thereby. The computer 
system having an operating system adhering to an 
access control security mechanism. Such systems 
include govemment systems wherein a hierarchy of 
security classification levels are defined (e.g.. top 
secret secret, classified, unclassified), and commercial 
systems. Sensitivity labels pursuant to an access con- 
trol security mechanism include at least hierarchical 
security classifications, and may include non-hierarchi- 
cal categories or compartments which represent distinct 
areas of information in a system. A port is characterized 
by a port number and a sensitivity label thus permitting 
opening a plurality of ports having identical port num- 
bers and unique sensitivity labels. 




FIG. 5 



Primed by Xercoc (UK) Business Servioas 
2.16.3/3.4 



BNSOOCID: <EP_O6406eOA2_l_> 



EP 0 849 680 A2 



Description 



TECHNICAL RELD 



The present invention relates to niultilevel port s 
methods, apparatuses, and computer program products 
operable in computer systems, and more particularly, to 
multilevel port systems operable in multilevel operating 
systems utilizing multilevel multiple security levels. 



BACKGROUND 
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Secure computer systems restrict InfomiaUon from 
unauthorized disclosure. Government secrecy systems 
ensure that users access only permitted information in is 
accordance with predetermined security clearances. 
Other secure environments protect selected private 
information including payroll data and other sensitive 
conpany data including internal memoranda and com- 
petitive strategy documents. 20 

To establish computer security for government or 
conpany systems, a security policy is adopted. The 
security policy establishes rules for managing, protect- 
ing and distributing sensitive information. A security pol- 
icy is typically stated in terms of subject and objects. 25 
Si±>jects are active within a selected system and 
include users, processes, and programs, for example. 
Objects are the recipients of subject action, such as 
files, directories, devices, sockets, and windows. A 
security policy may set rules to detennine whether a 30 
subject user has access to a particular object such as a 
file. 

One well-known security system developed by 
David Bell and Leonard LaPadula in 1973 describes a 
multilevel secure computer system having access rules 35 
depending upon the scicurity clearances of messaging 
processes. Security systems based upon access rules 
rely nx>n reference monitors which enforce authorized 
access relationships between subjects and objects of a 
system. A security kemel concept developed by Roger 4o 
Shell in 1972 implements the reference monitor noUon 
that all system activity supervised in accordance with 
the systems security policy. The kernel , accordingly 
mediates. A "trusted system" has sufficient hardware 
and software integrity to allow its use to simultaneously 4S 
process a range of sensitive unclassified or classified 
information for a diverse set of users without violating 
access privileges. 

Networks require that the security mechanism of a 
trusted system be able to control communication with so 
the trusted systems. Previously, a networi^ administrator 
typically had tight control over system connections with 
other systems. However, with the proliferation of inter- 
connected networi© and easy remote access and 
resource sharing, systems often cannot identify or trust ss 
the entire network 

Strategies for establishing security in network envi- 
ronments require labeling data with predetemiined 



security attributes or sensitivity labels, information 
labels. This enables recognition of data sensitivity at 
other systems of a networtt Because different networks 
support different security policies, these labels are not 
necessarily in the same format. In certain secure net- 
works, each system may fiave a different kind of lat>el. A 
user sensitivity label specifies the sensitivity level, or 
level of trust, associated with that user. A filers sensitiv- 
ity label similariy specifies the level of trust that a user 
must have to be able to access the particular file. Man- 
datory access controls use sensitivity labels to deter- 
mine who can access what informatfon in a system. 
Together, labeling and mandatory access control incle- 
ment a multilevel security policy - a policy for handling 
multiple information classifications at a nunt>er of differ- 
ent security levels within a single computer system. 

Under mandatory access control, every sutDject and 
obiect in a system supporting mandatory access con- 
trols has a sensitivity label associated with it. A sensitiv- 
ity label generally includes a classification and a set of 
categories or compartments. The classification system 
is typically hierarchical, including in a military security 
nxxJel, for example, multiple distinct levels, such as top 
secret, secret, conf Wential and classified. In a company 
environment, other classifications may be followed 
including labels such as conpany confidential, or com- 
pany private. 

Typically, for a sul>iect to read an ol^iect, the sub- 
ject's sensitivity level must dominate tiie object's sensi- 
tivity level. A subject's sensitivity label donninates tiie 
object's sensitivity label if tiie subject's classification is 
equal to or exceeds the classification of the object Sim- 
ilariy, in Older to write an object, the object's sensitivity 
level must dominate the subject's sensitivity level. In 
order for a subject to write to an object, the subject's 
sensitivity level must t>e equal to or less than the sensi- 
tivity level of the object or f fle. Consequentiy, in a current 
mandatory access system, in order for a subject to 
freely read and write to and from an object, both the 
subject and the object must have the same classifica- 
tion lat>el. This is the fundamental rule by which an 
access control system works, and by which two-way 
comrmjnication may take place between trusted compu- 
ter systems. 

In cun-ent networked nxiltilevel trusted systems, 
third-party applications have only limited support for 
operating effectively. In particular, when multiple proc- 
esses having different sensitivity labels attempt to 
access the same object or resource, despite differences 
in security level, tiie operation may block In the prior art 
diagram of Figure 1 . an application runs on a ti-usted 
system and attempts to access a resource (i.e., a file, 
an applicatioa or a database) either on the same sys- 
tem or on anotiier system in a network. For success, the 
security levels of resource and subject must necessarily 
be the same in order to permit two-way communication 
according to the applicable access control security 
mecfianism. 
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In multilevel tnisted systems of the prior art as 
shown diagrammatfcally in Rgure 1. access to a 
resource or a service (object) by a process (subject) 
running at a particular sensftivity level is restricted to 
objects in memory having the same sensitivity level as 5 
the reque^ng process, as mandated by the access 
control mechanism. Consequ&itly, two-way comnujnl- 
cation is precluded where the subject and the object 
have different sensitivtty labels. Once a requested appli- 
cation, service or resource is instantiated in computer 10 
mOTtory, a ser^ttivity lat>el is associated with the proc- 
ess, service, or resource, and access by other proc- 
esses running applications which also desire to access 
the resource, but which have a different clearance, is 
denied. 15 

Another tecfinical prot>lem arises, however, in the 
prior art system of Figure 2 described below when a 
port on a receiving system remains open for a sufc>stan- 
tial period of time at a particular security classification, 
clearance level, or sensitivity label. This prevents users 20 
and systems having different deararKes from access- 
ing the same resource, when a port has already been 
opened and remains open under a different clearance. 
Since a port number is unique to a resource or third 
party system being accessed, the unavailability of that 2S 
particular port effectively precludes other users or sys- 
tems with diff^ent clearances from accessing the third 
party resource. This effectively renders the resource 
unavailable to applications operating at different secu- 
rity levels. 30 

Accordingly, there is a need for systems and meth- 
ods providing access to resources operating at multiple 
security levels. Such systems and methods rrujst be 
transparent to processes having different security clas- 
sification levels. 35 

An additioned prot>lem wKh current multilevel trusted 
systems is security violations from interlevel signal 
channel communications between associated system 
ports or covert channels. A covert channel is an infor- 
mation path tf^at is not ordinarily used for communica- 40 
tion in a system and thus is not protected by the 
system's normal security me(^anisms. Thus, there is a 
secret way to communicate information to another per- 
son or program in violation of security protocol. The cov- 
ert channels convey information by changes in data 45 
attributes or by changes in system performance or tim- 
ing. By monitoring attribute changes for stored data and 
system timing, confidential information may be inferred. 
Data characteristics such as message length, fre- 
querKy. arxl destination may t>e protected from analysis so 
of data traffic by an intruder or from a user having a 
lower classification on the same system, with tech- 
niques such as covert channel analysis, padding mes- 
sages to disguise their actual characteristics, or by 
serKiing noise or spurious messages. However, such ss 
measures do not guarantee data security. 

Accordingly, there is a need for systems and meth- 
ods to prevent data access in violation of security proto- 
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col to ports having a dominant classification in a multi- 
security level computer system. Such systems and 
methods must secure access to the dominant port to 
protect attrikxite information from compromise to an 
intruder. 

SUMMARY OF THE INVENTION 

The invention is defined in claims 1, 2. 5, 7 and 8. 
respectively. 

According to the present invention, multilevel 
trusted systems associate multiple port endpolnts with a 
single identifier code indication or name. Use of a single 
identification to associate multiple port erKlpoints ena- 
bles provision of a security check which halts inter-erxJ- 
point communication when the endpoints are further 
associated with a common identifier code indication. 
This is beneficial t>ecause security breaches caused by 
interievel communication are diminished. 

According to the present invention, use privileges 
for third-party communication at a selected network 
level are affirmatively granted at multiple specified lev- 
els. This is t>eneficial as it permits direct arxj unmodified 
application operation at desired multiple levels, permit- 
ting multilevel trusted system operation without applica- 
tions software modification . 

According to the present invention, a computer sys- 
tem comprises a machine-readable program storage 
device embodyir>g a program of instructions executable 
by the machine to perform method steps in a multilevel 
trusted system for estat>lishing a nujltilevel port to ena- 
ble multiple, sut>stantially concurrent resource access- 
ing. 

According to the present invention, a computer sys- 
tem comprises an operating system kernel supporting a 
multilevel access control security mechanism for creat- 
ing an d3ject access packet comprising an intemet pro- 
tocol (IP) header including a destination socket having a 
machine address and a unique port identifier, a port 
identifier comprising a port numtDer spedfyihg a 
resource or object, and a sensitivity label for an access 
control security protocol. According to the present 
invention, a plurality of processes are created on a des- 
tination system lor a single selected port number at a 
selected unique sensitivity label, permitting resource 
and object access by multiple users in a multilevel 
access control system to a selected port according to a 
selected security policy. 

According to the method of this invention, machine 
readat>le code opens multiple instances of a selected 
application, both instances fmving the same port 
address and a separate sensitivity label. 

According to the preserrt invention, multiple network 
endpoints having the same port number txit ser>arate 
security dassification labels are established, permitting 
contemporaneous process port access according to a 
common port number while still adhering to the system 
security policy. As many ports may be open with tine 
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same port number as there are different security classi- 
fications used by the system access control security 
protocol. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Rgure 1 is a block diagram of a multilevel trusted 
system having a plurality of ports and endpoints at 
predetermined security levels, according to the 
prior art; 

Rgure 2 is a flow diagram of a multilevel trusted 
system according to the prior art, in which a data- 
gram or message packet is communicated between 
a source system and a destination system; 
Rgure 3 is a block diagram of a security system 
according to the prior art; 

Rgure 4 is a diagram of an internet system accord- 
ing to the present invention; 
Rgure 5 is a flow diagram of multilevel trusted sys- 
tem operation according to the present invention: 
and 

Rgure 6 is a diagram of a multilevel trusted system 
processing a communications packet according to 
the present invention. 

DETAILED DESCRIPTION OF A BEST MODE OF 
THE INVENTION 

Rgure 2 is a flow diagram of a prior art system 
employing access control security mechanisms. Third 
party applications require a license verification from a 
remote third party computer system. Alternatively, 
license verification may be an object in a process oper- 
ating on the same system as the process in which the 
application Is running. Once an application is instanti- 
ated on a first operating system, it may determine that 
communication with an object process is required. The 
kerne! on the first system accordingly creates 6 a 
socket, arxj constructs 8 a communications packet, 
including an appropriate header, a machine address, a 
port number, and a protocol kJentifier, attaches 10 a 
data arxi a sensitivity label continuing the clearance of 
the process under which the application is running, and 
transmits 12 through socket a data packet over a 
selected electronic communications medium. 

An internet protocol (IP) header typically contains 
source system information for the system originating 
communication arKi information regarding the destina- 
tion system. This information includes machine num- 
bers of the source and the destination computers, the 
port numbers or addresses identifying applicable appli- 
cations and services provided, and the protocol (e.g.. 
TCP/IP, or UDP/IP) by wt»ch the two conputers will 
communicate. Port numbers or addresses identify appli- 
cation or subject running on a client computer, and the 
application object or resource to be accessed on a des- 
tination machine such as a license verification program 
on a remote machine 13 or server. 



During network communication, an IP header and 
data are electronically communicated 14 from the 
source system, through a socket endpoinl for receipt 8 
by a destination server. The destination kernel deter- 

5 mines whether a requested port is available 20. If the 
port is available (i.e.. not yet opened), the requested 
port opens 22 at a clearance level associated with the 
sensitivity label of the incoming communication. H the 
requested port numt>er is in use, the request Is dropped 

10 32, possil)iy with a negative acknowledgment (NACK) 
being returned to the source server. The same classifi- 
cation level is required for two-vt^ communication 
between a source system arxi a destination system 
under an access control security mechanism. 

15 If a request is processed, the destination system 
opens 22 a port and prepares 16 a reply 16 and an IP 
header for the reply . An IP sensitivity label for the proc- 
ess under which the object application is running is 
additionally attached 28 to the reply. Under mandatory 

20 access control, the sensitivity label must oorrtain the 
same security classification of the request of the origi- 
nating system The reply packet is further sent 26 to the 
originating sender, where the pad^ is trapped 29 tyy the 
source kernel and inspected 30 pursuant to the security 

25 protocol for that system. If the reply packet is not pro- 
vided at the same security level as the original request, 
the packet is dropped 32. Othenvise. the packet is 
passed-on 34 to the requesting application. 

Rgure 3 shows a multilevel trusted system accord- 

30 ing to the prior art. including first through fourth 
instances of the same selected application 40 running 
concurrently. The application instances of a running 
application are respective processes 42a - 42d. Each of 
processes 42a - 42d is assigned a particular security 

35 classification, and each process handles communica- 
tion between application 40 and kernel 44. The 
assigned security classification, may be a predeter- 
mined clearance level t>ased upon the identity of a user 
or a user category, or a type of application, for example. 

40 Kernel 44 controls ir^ output functions, memory, proc- 
esses, and operational aspects of running application 
40. Kernel 44 mediates relationships 46 between proc- 
esses of application 40 and selected resources 48. such 
as objects, services, and external application connect- 

45 ing to the processes of application 40. Kernel 44 
includes a security process 50 ensuring that each proc- 
ess of application 40 communicates only with resources 
having a security classification consistent with a prede- 
termined security policy. According to a mandatory 

so access control (MAC) system, for example, security 
process 50 ensures tiiat processes 42a - 42d only com- 
municate with resources 48 at the same security classi- 
fication as the corresponding process of application 40. 
All MAC objects are accordingly labeled with a security 

55 label which is used for communications packets 
traveling between the application process and the 
resource with which it has message traffic. 

Rgure 4 shows a multiuser, multilevel source 
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trusted computer system 50 according to the present 
invention, which is networked to a second computer 
system 54 through a communication network 55. such 
as the Internet In a typical configuration, several use's 
are networked into a server. Source trusted computer 5 
system 50 ofidudes a network including a plurality of 
user workstations 56a-56. a server 58, and a gateway 
server 60, which may be employed as a firewall to pre- 
vent unauthorized access to source trusted computer 
system 50. The gateway server 60 includes a memory w 
61 for storing a kernel (not shown). The second compu- 
ter system 54 includes a memory 62 for storing a kernel. 
For inconrvng messages, a security inspection is per- 
formed on incoming packets by the kernel {not shown) 
of gateway server 60. A received packet is passed into 15 
source trusted computer system 50 only after it has 
t>een determined ttiat the packet has satisfied the secu- 
rity protocols of the source trusted computer system 50. 
In a multilevel trusted system using a mandatory access 
control security protocol, for example, the kernel of 20 
source trusted computer system 50 ensures that the 
sensitivity label of an incoming communications packet 
is the same as or higher than the sensitivity lat>el of the 
destination process or port destination of computer sys- 
tem 54 to which the packet is addressed. If the packet 25 
security classification is not the same as or higher than 
the security classification destination port then the 
packet IS cBscarded from further processing. Message 
packets are sent through a modem 64 or a network 
interface card (not shown) over a selected transmission 30 
medium 62 formed of a copper wire, a f it>er optic link, a 
microwave line, or a radio broadcast transmission link. 
The selected link with destination computer system 54 
may t>e directly through a LAN connection, a direct 
phone link, or indirectly such as through the Internet 35 
Upon reaching the destination computer system server, 
the message packet is intercepted by the server kernel 
(rx>t shown). Should the destination server employ an 
OSl interface, the message packet is preferably ana- 
lyzed at the lowest software level of the OSl stack. 40 
ensuring that the kernel examines the subelements of 
each message packet. 

In one emfcxxliment, each workstation 86 couples 
through a modem 64 to the Intemet 55. and includes a 
kernel that performs security. 45 

Figure 5 is a flow diagram of a method for estat^lish- 
ing multilevel ports according to the present invention in 
which a requesting application runs on a first data 
processing node 45 (i.e.. Machine One). A second data 
processing node 86 (i.e.. Machine Two) includes a plu- so 
rality of ports associated with predetermined security 
classifications. According to the present invention. 
Machine One runs 68 a selected applicatiDn. which 
estat)lishes its own security level consistent with the 
security clearance of the user. When the application 55 
being run calls a resource or object at another data 
processing node, the local machine kernel opens 70 a 
socket to the other resource or ot^ject for which a mes- 



sage carrying a service request can be made. The 
socket identifies the destination machine, a port nur^ber 
corresponding to the application program being run, 
and the local process security level. A port identifier is 
created by first requesting 72 an applicat)le security 
level for the associated port number 0(3ened by the ker- 
nel. The kernel further checks to see if the requested 
port is available 74 at that security level. If that port 
nunrt>er arxj security level combiriation is currently in 
use (e.g.. by another user) the kemel waits 76 for a pre- 
determined time before again polling to determine if the 
particular security level is available for the port number. 
On the other hand, if the particular port number and 
security classification combination is available, the ker- 
nel combines the security level and port number to cre- 
ate 78 a port identifier Then, the applicatHe IP header 
for a message packet is aeated 80 by inserting the port 
number and security label combination into the protocol 
spaces of the IP header normally reserved for just the 
port number. The message packet fe completed by 
attaching 82 application specific data and information 
into predetermined regions of IP header to create a 
complete datagram. The completed datagram packet is 
then formatted 84 for electronic communication and 
sent to the destination server 86. 

The operating system kernel 86 of data processing 
node 86 intercepts 88 the packet from Machine One 
and exanines 90 the sut>elements of the packet to 
extract the port identifier. Once the port nunrtoer .and 
security label have been extracted, the kerne\ deter- 
mines whether the requested port at the specified secu- 
rity level is in open status, and if so. whether is 
presently available 92 for access. If the port is unavaila- 
ble in that the combined port number and sensitivity 
label is in use by another application, then the operation 
terminates 93. If the port is available. applicafc»le data 
from the message packet is transferred 94 to the appli- 
cations portion of the applicable operating systen stack 
of data processing node 86 for application processing. 
After data is provkled to the application, an applicatile 
reply is prepared 96 as appropriate, and an applicable 
IP header is attached 98 to the reply message which is 
prepared. The reply message is formatted 100 for 
packet transmission over an electronic network, and 
sent to first data processing node 45. 

The kernel of first data processing node 45 inter- 
cepts 102 the applicable reply packet and exannines the 
packet to verify 104 that the reply message has been 
provided at the same security level as the applicable 
application process is running in data processing node 
44. If the security levels of the local process and the 
remote message receved are the same, the reply is 
passed 106 to the application for processing. If the reply 
is at a security level inconsist^ with the security level 
of an applicable focal application, the reply packet is ter- 
minated and. if applicable, a negative acknowledgment 
is sent 108 to the second data processing node 86. 
Although the reply packet examination shown in Fig. 5 
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indicates that the security level of the reply packet is the 
same or equivalent to the security level of the applica- 
tion process, according to the present invention, the 
reply packet may have a lower security level if the reply 
packet is to be read by the application. Any access con- 5 
trofs may be used for receipt of message packets so 
long as the control is consistent with the system's secu- 
rity policy. 

Rgure 6 shows a method according the present 
invention to detOTiine whether a requested port is 10 
available for communication between data processing 
nodes. In particular, an incoming packet 86i is shown 
intercepted 110 by a destination system's operating 
system. Security examination is performed at the data 
link and network levels of the kernel interfece operating 15 
system interface 66. The IP header element 112 of 
packet 86i* is examined and the port number and the 
security label subelement 1 14 are identified. The kernel 
checks to determine if the requested port number is 
already open 1 16. If not. the requested port opened 20 
118 at the security level indicated by the security label. 
Activities for opening a port at a particular security level 
are logged 122 to provkje a journal or history of the 
activity and to provide a database of security levels 
which are presentiy open for particular port numbers. A 25 
decision Is made 120 whether to pass the packet to a 
local application. If all other protocol requirements have 
been satisTied. the data Is passed to the applications 
process 86" for handling and completion. If all other pro- 
tocol requirements have not been satisfied, the packet 30 
is dropped 108. 

If a registered port number requested is already 
open 1 16, the operating system kernel determines 124 
whether each opened port is at the security level sped- ^ 
fied by the port kjentifier's security label. If not, ihen a 35 
new port having the same number as the existing port is 
opened 1 18 at the klenttfled security level. The opening 
of the port is logged 122 to journal the activity, as 
described above. If the existing open port is at the same 
security level as identified in the port identifier subele- 40 
ment, then It is determined 126 whether the port is in 
use. If the port is presently in use, then a mandatory 
access control protocol precludes opening another port 
at the same number and security level being opened. 
Consequentiy. a packet is either buffered 128 and 45 
checked periodically until a pre-defined time-out 130 
occurs, causing packet process termination or the 
packet is terminated 108 immediately, or until the port 
becomes unused 124. 125. If an open port is set to a 
correct security level but not currently in use 126. then so 
the port activity is logged and a decision is made 120 
whether or not to pass ihe packet. K all other security 
criteria is met the packet is forwarded for appOcation 
processing. 

According to the present invention, a computer sys- 55 
tern having an operating system adhering to selected 
access control security mechanism includes govern- 
ment systems wherein a hierarchy of security classifica- 



tion levels are defined (e.g., top secret, secret, 
classified, unclassified), and commercial systems. For 
purposes of this application, sensitivity labels pursuant 
to an access control security mechanism includes at 
least hierarchical security classifications, as described 
above, and n^y include non-hierarchical categories or 
compartments. For example, these categories may 
refer to various plant sites according to particular demo- 
graphics, product types, as well as categories defined 
by cross-functional txjundaries such as accounting, 
pil)lic relations, marinating, engineering and R&D. Con- 
sequentiy. an entity hoWing a particular security classifi- 
cation may not automatically be cleared for all 
information at that level in every category. An applica- 
tion instantiated in the memory of the computer system 
may require access to a third party resource or object 
eittier on the same system or on a different system. The 
kemel, after detemriining that the user has permission to 
demand the resource, generates an IP header in prepa- 
ration for communicating with the resource. The IP 
header includes source arxJ destination machine identi- 
fication numbers, and port identifiers. The port identifier 
for a destination system comprises a port number spec- 
ifying a particular resource, database, or service 
requested by the source application, and a sensitivity 
label. The sensitivity label includes a security classifica- 
tion or clearance of the process in which the application 
is running, and may include other rrfbrmation such as 
category restrictions. The source system kemel 
attaches any application data to the header to create a 
datagram or message packet. The source system ker- 
ne! furtiier opens a communications socket and trans- 
mits the resultant packet to a selected destination 
system. 

The destination system kemel receives tiie packet 
sent and analyzes the port identifier in tiie packet 
header. If flie requested port number has not yet been 
opened on the destination system, the destination sys- 
tem kernel launches the requested application at a 
process security level consistent with the security level 
identified by the sensitivity label In the port Identifier in 
the packet header (i.e., a same or lower classification 
level). The process run may further be qualified by a cat- 
egory designator carrying the security label of the 
source system packet, establishing multiple ports at tiie 
same port number and clearance for different catego- 
ries. Packet examination and reading occurs according 
to one embodiment of the present invention at a desti- 
nation system server, at a gateway server acting as a 
firewall t>etween a destination server and a third party 
system, or at any server intemetworked with the desti- 
nation server. 

Further according to the present inventfon. any 
requested jobs and services are peribrmed. If the clear- 
ance of an object process is the same as the source 
process clearance, the destination system kemel cre- 
ates a reply packet for transmission to the source com- 
puter system. However, if the destination system kernel 
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determines that the port number opm. but that the 
sensitivity label associated with the source is different 
from the sensitivity label of the opened port, the destina- 
tion system kernel will open another port having the 
same port number at a security classification consistent 5 
with the sensitivity label of the source port identrfter. 
Similarly, should another incoming packet have a 
source port identifier in its IP header request the operv 
ing of a third instantiation of the destination port at a 
third, different security classification, the destination ro 
systems kernel launches a third instantiation of the 
application pursuant to a process having a security clas- 
sification consistent with the sensitivity label of the third 
port identifier. It is dear that as many instantiations of an 
application having the same port number may be 15 
opened, or running contemporaneously, as there are 
classification levels. Moreover, if additional categories 
are used to create unique port identifiers, then the 
number of ports having a common port number tfiat 
might be op&ied contemporaneously is the sum of the 20 
number of categories. 

If a destination system kernel determines that a 
port number is open at a particular dassif icatton level or 
for tfie same category and is open, the destination sys- 
tem kernel passes the received padcet to an open des- 25 
tination process. However, if a destination port has the 
appropriate classification level or the same category is 
presenfly occupied with a previously received request, 
the destination system kernel does not pass the 
received packet to an assodated destination process. 30 
Instead, the receiving kernel may buffer the received 
packet until a process becomes available at an accept- 
able security level or the kemel may reject the pad<et 
An appropriate response message may then be sent 
back to the source system. 35 

By way of example without limitation, an application 
instantiated in the operating system of a computer may 
require access to an external resource for license vali- 
dation or verification. As a result, the receiving system 
operating system constructs a datagram or message 4q 
packet comprising an IP header induding source and 
destination socket kJentifications and communications 
protocols arKi may attach a license validation request 
assodated with the application. A socket assodated 
with a source process includes a machine address arxj 45 
a port nunrd^er identifying a desired resource (e.g., the 
license validation service). According to the present 
inversion, a new port identifier comprises a port number 
and a sensitivity label. Upon receipt of a message data- 
gram or packet by a recipient license server, a receiving so 
kernel examines the received message according to 
receiving system security protocols. The receiving ker- 
nel deternrunes whether the port designated by the 
received message at the particular dasstfication irxii- 
cated by the sensitivity label in the message header is ss 
open. If tiie port at that dassification is not open, or is 
unoccupied, then the kernel transfers the received mes- 
sage packet to a communications manager and opens a 
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licensing verification application instantiated in a proc- 
ess at the indicated security label. If the port at the des- 
ignated security classification has already been opened 
and ^ occupied (i.e., the required resource is in use by 
arx)ther user at the same security dassification). the 
packet is buffered or dropped and a negative acknowl- 
edgment may be communicated t>ack to the source sys- 
tem. 

According to the present invention, security dae- 
mon resident in the receiving system executes a receiv- 
ing system security protocol arxj determines wt^her to 
receive arriving message packets and whether to open 
a port at a requested security level. The security dae- 
mon according to one emtxxiiment of the present inven- 
tion operates between an Open Systems 
Interconnection (OSI) data link layer and OSI network. 
By inspecting incoming datagram and packet mes- 
sages, the security daemon ensures that the kemel 
intercepts arxl inspeds packets and messages travers- 
ing local interfaces. The security daemon according to 
the present invention accesses individual packet ele- 
ments arxi sub-elements of the port identifier. 

According to the present invention, multiple system 
sockets or erxipoirrts having the same port number and 
a unique sensitivity label are opened to third party appli- 
cations at network endpoirrts induding multilevel trusted 
systems. - ' 

Although the invention is descried herein in terms 
of preferred enrdxxliments, it is understood that after 
having read the above description, various alternatives 
will t>ecome apparent to those persons stalled in the art. 
For exanrple, the security label need not t>e assodated 
with the port number at the source server. A composite 
port identifier according to the present invention, which 
comprises both port number arxj a security label,, can 
be constructed at any time prior to tiie opening of a 
destruction port Accordingly, software nxxiifications at 
the source data processing need not tndude comt»ning 
the security label with tine port nun*er. The port nuntoer 
may t>e assodated with the data in a transmittal packet, 
and combined with the port number inddertt to exami- 
nation by the destination server kernel. The present 
invention accordingly indudes the scope of the 
appended daims stated as broadly as the prior art will 
permit and specification will permit. 

Claims 

1 . A computer program produd comprising: 

a computer useable medium having a compu- 
ter readat>le program code mechanism embod- 
ied therein for generating a plurality of ports, 
said ports being assodated witfi a conwnon 
port ruimber, each of said ports having a 
seleded sensitivity label, said port number and 
said sensitivity label defining a selected port 
identifier for at least one of said ports, permit- 
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2. 



3. 



ting muttiple. simuttaneous access to the port, 
said computer code mechanism comprising: 
first computer readable code mechanism for 
constructing a communications packet com- 
prising a protocol header in turn comprising at s 
least source machine identification, source port 
numt>er, and destination port identifier region, 
said destination port identifier region including 
a destination port number and sensitivity label 
subregion; and io 
second computer readable code mechanism 
for permitting reception communications pack- 
ets for establishing receiver ports. 

A first program storage device readable by a is 
machine, tangitriy embodying a program of instruc- 
tions executatrfe by the macWne to establish a mul- 5. 
tilevel port for enabling multiple, simultaneous 
access of a resource in a multilevel trusted system, 
said first program storage device connprising: 20 

first connputer readable code devices config- 
ured to receive a communications packet from 
a source machine running an application 
instantiated in a first process, said packet com- 25 
prising at least a first destination port number 
and a first sensitivity label; 
second computer re^able code devices con- 
figured to examine said packet for identifying 
said port number and said sensitivity label, said 30 
port numt»er and said sensitivity label, together 
providing a port Klentifier; 

third computer readable code devices config- 6. 
tired to compare said port kJentifier to port 
identifiers associated with pre-existing open ss 
ports; and 

fourth computer readable code devices config- 
ured to open a port having the same port 
numtjer as pre-existing open ports when said 
sensitivity label of said port identifier is unique 40 
as compared to sensitivity labels of pre-existing 
^ open ports, said opening permitting contempo- 7. 
raneous processes associated with a plurality 
of ports having the same port numt>er, and a 
unique sensitivity label 45 

A first program storage device as in claim 2 further 
comprising a kernel having a security portion, said 
security portion including said third and fourth com- 
puter readable code devices. so 8. 

A first program storage device as in daim 3, further 
comprising: 

fifth computer readable code devices config- 55 
ured to pass a data portion of the communica- 
tions packet to the process instantiating the 
application associated with the port previously 



opened in said port opening step; 
sixth computer readable code devices config- 
ured to prepare a reply communication packet 
for transmission to said first process, said reply 
conrununication packet comprising at least a 
destination port number, a second sensitivity 
label, and a reply: 

seventh computer readable code devices con- 
figured to transmit said reply communication 
packet to said source machine; and 
eighth computer readable code devices config- 
ured to process said reply communication 
packet by said source machine in accordance 
with the security protocol of said source 
machine. 

A conputer having a multi-level trusted operating 
system, comprising: 

a conputer useable medium having a compu- 
ter readable program code mechanism embod- 
ied therein for generating a plurality of ports, 
said ports being associated by a common port 
number, each of said ports having a unique 
sensitivity label, the con^nation of said port 
number and said sensitivity label defining a 
unique port identifier for each of said ports. 
said plurality of ports permitting multiple, simul- 
taneous access of said common port number, 
sakj computer readable code mechanism in 
saki multi level-trusted system. 

A computer as in claim 5. wherein said computer 
readable code mechanism also includes ccmiputer 
readable code means for receiving a communica- 
tions packet for examining the packet to exb-act a 
destination port number and a sensitivity label, for 
determining the availability of a port having a 
unique port identifier address, and for opening a 
port having a unique port identifier address. 

A multilevel port for permitting simultaneous access 
by a plurality of processes, each process having a 
different sensitivity lat^l, the multilevel port defined 
by a common port number and a plurality of 
selected, unique sensitivity labels to permit two- 
way communication between said port and a plural- 
ity of processes having the same sensitivity labels. 

A method for enablir^g simuttaneous access of a 
port by a plurality of processes in a multilevel 
trusted system, comprising the steps of: 

intercepting a first communications packet in a 
second computer system, said communica- 
tions packet generated by the kernel of a first 
computer system, said communications packet 
comprising a destination port number and a 
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first sensitivity label; 

examining the communications packet to 
extract and identify said port number and said 
sensitivity label, said port number and said 
sensitivity label combination defining a port 5 
identifier; 

comparing said port identifier to the port num- 
bers and sensitivity labels of pre-existing op>en 
ports; 

establishing a port in the event no pre-existing 10 
open port has the same port identifier as 
defined in said communkxttion packet: 
passing the data portion of said communication 
package to an applications process in said sec- 
ond conputer system, said applications proc- is 
ess having a port number and sensitivity label 
equivalent to said port identifier. 

9. A method for enabling simultaneous access of a 
port as in claim 8 further connprtsing: 20 

preparing a reply; 

constructing a second, return communications 
packet, said return communications packet 
comprising at least a reply, a source port 2S 
number, and a second sensitivity label associ- 
ated with said applications process in said sec- 
ond computer system; 

transmitting said second communications 
packet to said first computer system; 30 
intercepting said second comnnunications 
packet by a kernel in said first computer sys- 
tem; 

comparing said first sensitivity label to said 
second sensitivity label; and 35 
processing the reply in accordance with the 
security protocol associated with the kemel in 
said first computer system. 

10. A method for enabling simultaneous access of a 40 
port as in daim 8 wherein said intercepting step is 
performed by a daemon operating between the 
data link and the network layers of a second com- 
puter system operating under an OSI protocol. 

45 
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